LulzSec hacking suspect 'Topiary' arrested in the Shetland Islands

An 18-year old man has been arrested by British police in Shetland, UK, under suspicion of launching hacking attacks against a number of websites.

Officers from the Metropolitan Police Service's Police Central e-Crime Unit (PCeU) arrested the man as part of an international investigation into the activities of the Anonymous and LulzSec hacktivist groups.

The man, who was arrested at a residential address in Shetland, is said to have used the online nickname "Topiary" and acted as a spokesperson for the groups via forums such as Twitter.

The suspected hacker is currently being transported to a central London police station, and a search is taking place at his home.

"Topiary" has been identified in the past as having a leading role in hactivist attacks launched by the LulzSec and Anonymous groups.

In recent months the LulzSec gang have hacked and launched denial-of-service attacks against a number of high profile websites including The Sun, the CIA, SOCA, Sony, PBS and the US Senate.

In a related police operation, officers are searching a residential address in Lincolnshire where a 17-year-old male is being interviewed under caution in connection with the inquiry. He has not been arrested.

The truth is that LulzSec and other hacktivist groups have recently been playing an extremely dangerous game - taunting the likes of the FBI and British police with a series of hacks and attacks and believing themselves to be invincible.

If the arrested man is indeed a key member of the LulzSec gang, it could be the British police who have the last laugh.

Interestingly, Topiary deleted all the messages he had previously posted on Twitter recently, replacing them with a simple message:

"You cannot arrest an idea"

Is it possible he saw the writing on the wall?

Just last week, the UK's PCeU arrested a 16-year-old youth - believed to be the LulzSec/Anonymous hacker known as "T-Flow" - in South London, on suspicion of breaching the Computer Misuse Act. Other arrests took place at the same time in the United States and the Netherlands.

We'll publish more information as it becomes available. Feel free to follow me on Twitter for the latest updates.

I'm sorry but defacing some websites/DOSs and some md5 hashes aren't really putting oppressive tyrannies underground. What they did to HBGary was good and deserved-I hope they actually release the News of the World emails because those bastards deserve it. The rest was just lowhanging fruit and not really worth so much.

What they did to HBGary was neither good nor deserved. Releasing News of the World emails is neither good nor deserved. The authorities will deal with News of the World. Don't get fat and sleepy on low hanging fruit.

woohoooooooooooooooooooooooooooooo get those punks and lock away the key!!!! hacking is in fact a federal international crime punishable by 25 years in jail and a permanent ban from ever owning a computer or internet ready device

Why is the fact that they are all under 25 not a surprise to me? Where are these kids parents? They should be made to stand right next to these ungrateful entitlement filled delinquent runts. Oh, and a message to lulzsec (and who is having the lulz now?) - don't mess with the big boys (CIA, Sun, et. all). You are finding they have much bigger teeth and are much more willing to go after you than a few unsuspecting banks or public institutions.

Right. DDOSing companies for censoring Wikileaks and attacking companies who've sober shitty things is entitlement. You see kids and hacking and use your ignorance to invent reasons to villify them. Good job.

I think by the time they're 19 (and certainly 25) it shouldn't much matter where their parents are... But at any rate, it's essentially an ad hominem attack to simply accuse them of being juvenile. I may not agree with their means, but I often find myself approving of their choices of opponents.

For the majority of the idiots posting against lulzsec & anonymous
You really have no clue how this world works. You are plugged so far into the matrix & controlled by the media you could be a pair of Murdocks underpants .
By definition these hackers got upset that paypal suspended payments to wikileaks but carry on taking money from the KKK & EDL . So not only are you naive but also racist . Well done, what fine examples of right winged humans you are. Fools

Did you get beaten as a child? Neglected maybe, or shunned from society? As they are the only reasons i can come up with for you to spout such idiotic words. We have hurt these companies more than anyone could ever imagine, and here you are attempting to slate us for doing something you could never DREAM of doing. we believe in something that you will eventually know is right. Open your eyes and see the corruption in these 'Big boy's' that you think so highly of.
We have exposed so many people, including murdoch who owns news international. Grow some braincells you mindless Peon.
#ANTISEC

They're not criminals. They are public servants. You are a criminal for being so blind to the true intentions of these typical big companies. These typical big companies are not your friend, and you would be that much smarter if you just woke up one day and admitted it.

Its kind of like the emperor killing the kid who said he was naked. Can you really blame them? Sure it sucks to get hacked. but someone needs to point out that cutting IT jobs down to save money is a really bad idea. In this day and age if you skimp on IT cost it should cost you.

Because most of them realize they've been conned by the big companies and either
1) Intentionally leave security holes to allow checkups on Big Brother, or
2) Feel scummy for working for the companies and organizations and decide to find a job where they aren't raping their fellow man, or
3) Join Lulz

Some people feel that hacking is a valid method of protest. Those who subscribe to such a view should do well to remember that every account breached and email address/password published is a huge risk to the owner of the data.

Anyone who has had their identity stolen will attest to that. Having one's bank account stripped bare, having credit taken out in one's name, being slandered and libeled is a huge problem for the innocent victims.

Ruining thousands of innocent lives just to follow a cause, or even just for the Lulz, is no way to win friends and is much more likely to end in tears for everyone. The track record of so-called hacktivists suggests that they simply don't care.

One wonders what could be achieved if only some of these admirably bright, but ultimately utterly misguided people, would shine their talent on real world problems. It might be difficult to do from your bedroom, but there's the challenge!

The hacks they have performed were not very complex. It therefore stands to reason that others were aware of the exploits and have been using it to get access to that same data, before LulzSec exposed the flaws publicly. You should all be grateful that the exploits were found by these relatively harmless pranksters, rather than much more insidious criminals.

I must say, your idea of harmless pranksters and mine are quite different. If publishing thousands of innocent peoples private information for all to see is a "harmless prank" I would hate to see a malicious attack.

Shining their talent on real world problems would ultimately lead them to create companies, which in turn would create lobbyists for their company's interests, which in turn would put them in bed with the government, which in turn would mean that their companies would bend to the will of the government - just so that these 'admirably bright' people could pay their mortgage. I think this would be against their 'beliefs', thus their actions. I don't see them as 'utterly misguided people'.

As for the people who got hacked, yes it sucks. No, lulzsec probably doesn't care. Neither does anonymous, and here's the kicker - neither do the companies. Do you think Sony really cares about their user accounts? No, otherwise they would of protected them from simple SQL injection attacks. They care about money, the bottom line. Less IT people to pay, higher profits, worse security. So, why is this such a big deal to them? Because it's public and it makes their stocks go down. They lose money. And that's the only way to get the company to change.

Who thinks anonymous or lulzsec is ''trying to win friends"? You don't understand the cause and you don't understand the context.

If you think that those who throw digital stink bombs and blow raspberries at authority on Twitter are the same people who steal identities and clean out bank accounts, then I don't think you're at all qualified to comment. Your perception of who Lulzsec are is completely wrong. Would you consider Bill Hicks to have been a terrorist?

DDOS and other hacking is a valid method of protest. When a company thrives on duping people into false satisfaction while simultaneously causing them to unobviously lose some essential right or liberty in return, that company can only be taught a lesson when people are poked into dissatisfaction. This doesn't mean causing them harm. Any ID thief can cause them harm without hurting the company, and any intelligent person, such as these hacktivist individuals, can find a really good way to prick the company without much problem to the little person.

In all well-known situations, the hacking protests have only caused companies or organizations to lose money from THREATS to leak sensitive information, or from TIME-SENSITIVE scenarios gone awry, such as slowing down the VISA transactions.

These groups ensure that no harm comes to the little people, because they have nothing against them.

Now, what we DON'T care for is ignorant pukes like you taking the popular misconceptions hook, line, and sinker, and then DEFENDING them as if you knew anything.

I hope they are found. However, they have done companies and governments a service. They have highlighted security flaws in government and corporate systems which could have been exploited viciously in a cyber war between nations.

I agree. First of all they are just kids, and second of all, if anything, they should be commended for pointing out some serious security flaws in what are supposedly some of the most secure networks in the world. They have the potential to be tremendous assets if only *someone* would pay for their schooling, get them through a CS degree, and hire them. If anyone should be punished it should be the agencies and companies that were vulnerable in the first place. The reason this is such big news is the agencies and companies involved are assumed to be so secure that something like this should never happen (though it does from time to time). Now that it has, and in full force, sensationalists are taking the focus away from network security and instead focusing on these kids, viewing them as the culprits. This implies that the general public believes that if these kids cease operations, or otherwise just go away, these security problems will stop, but the point is that they won't. These problems will never go away unless the organisations involved actually improve their security, and I humbly suggest that these kids and other similar groups are necessary, in a Darwinian sense, for keeping the security ecosystem in-check. Without them, many important security vulnerabilities could go undetected while more sinister organisations do some real damage without publicising anything. The Sony incident is a perfect example. Clearly the goal here was to slap Sony in the face for what are obviously some rather pathetic network security policies. Unfortunately Sony is so big that a slap in the face has to do millions of dollars in damage before they even notice it, but I don't think anyone would argue that this hasn't improved Sony's security in the long run. Will Sony be able to recover its public image after such an embarrassment, and more importantly, will this severely damage Playstation's ability to compete with Microsoft's Xbox? Who knows... but if they are unable to recover from this, I humbly suggest that it is due to natural selection. Sony has already demonstrated in the past that it has little concern for consumer privacy, as evidenced by the blank CD rootkit incident a few years back, so as far as I'm concerned they have already signed their own death warrant anyway. Their clunky, insecure, heat-brick of an entry into the console wars will not be largely missed, I suspect.

Ok - on the one side I get the view that they're pointing out security flaws that need to be fixed... perhaps even only making it public so that action will be taken to secure it (if you report it quietly it could be ignored)... though I don't think that's their reasoning behind it.

My issue comes from the way they're doing it... If I think you should shut up because you're censoring people that should have a right to speak... am I not censoring you? How does that make my actions any different? You think you're censoring someone that should be censored... as am I... so wouldn't I be a hypocrite saying that I was doing it for freedom of speech when I have to stifle someone else's to do it? It's like saying, "violence is not the answer - kill them all so they can't be violent". I suppose one could say drastic measures sometimes need to be taken to be freed from oppression... but they shouldn't be taking innocent people down to make their point. I suppose that's my one big hang up.

You're doing it wrong. Free speech works like this: I have the right to tell you to shut up, but I don't have the right to force you to shut up. If interpreted this way, yes I agree, they should be allowed to publicise whatever data they want in the hopes that it will improve the general quality of global network security. Sometimes change has to hurt a bit ;)

And YOU gonna pay the guards I suppose..or better, you wanna get such fine job or maybe even you'd like to own some little big agency of though guys like yourself, aha? Would surely make a tidy business and you would surely love every hour of your work, bullying idealistic young guys in cells...

This guys are not yet convicted and you already want toput them in jail. You are violating rights as well. We dont know the age of the attackers yet, we dont know their names, and we dont know their nicknames. We dont know if these guys actually did something wrong.

First of all they are just kids, and second of all, if anything, they should be commended for pointing out some serious security flaws in what are supposedly some of the most secure networks in the world. They have the potential to be tremendous assets if only *someone* would pay for their schooling, get them through a CS degree, and hire them. If anyone should be punished it should be the agencies and companies that were vulnerable in the first place. The reason this is such big news is the agencies and companies involved are assumed to be so secure that something like this should never happen (though it does from time to time). Now that it has, and in full force, sensationalists are taking the focus away from network security and instead focusing on these kids, viewing them as the culprits. This implies that the general public believes that if these kids cease operations, or otherwise just go away, these security problems will stop, but the point is that they won't. These problems will never go away unless the organisations involved actually improve their security, and I humbly suggest that these kids and other similar groups are necessary, in a Darwinian sense, for keeping the security ecosystem in-check. Without them, many important security vulnerabilities could go undetected while more sinister organisations do some real damage without publicising anything. The Sony incident is a perfect example. Clearly the goal here was to slap Sony in the face for what are obviously some rather pathetic network security policies. Unfortunately Sony is so big that a slap in the face has to do millions of dollars in damage before they even notice it, but I don't think anyone would argue that this hasn't improved Sony's security in the long run. Will Sony be able to recover its public image after such an embarrassment, and more importantly, will this severely damage Playstation's ability to compete with Microsoft's Xbox? Who knows... but if they are unable to recover from this, I humbly suggest that it is due to natural selection. Sony has already demonstrated in the past that it has little concern for consumer privacy, as evidenced by the blank CD rootkit incident a few years back, so as far as I'm concerned they have already signed their own death warrant anyway. Their clunky, insecure, heat-brick of an entry into the console wars will not be largely missed, I suspect.

Remember a while ago when we had the month of daily 0-day security vulnerability releases for Apple / "The Mac"? I believe these events show us that the real culprits aren't the hackers themselves, but rather the vastly held public belief that X product, X technology, or X company is inherently secure and unhackable, and even more so the industry moguls and marketers who knowingly lie and help spread this false belief that, for example, Apple computers are unhackable or even moderately secure compared to your average non-compromised system. All modern operating systems and encryption techniques rely on what is fundementally the same set of several technologies, and if one of them is truly compromised, EVERYTHING will be hacked. Additionally, it should be noted that many security breaches are due to human error or social engineering rather than an actual security flaw. People need to be more intelligent with their passwords. This is 2011. You can't use "dog" as your password any more, nor can you continue to shrug your shoulders and use "dog1", "dog2", and "dog3" as you are hacked again and again. That is not to say that technology isn't also to blame. Quite recently it was revealed that iOS, to pick on Apple again, ignores years of security industry standards and research on password hashing and actually stores all user passwords in plain text. This is rather horrifying from a security perspective because contrary to popular belief, in the vast majority of circumstances, the plain text for your password is never stored. Instead a one-way "hash" of that password is stored, so the system can effectively check that the password you enter hashes to the same value. This way if the machine storing the username / password database is compromised, no passwords can be recovered because all you can get is hashes, which are useless. If your iPhone is compromised, however, all of your passwords can easily be recovered by the hacker. Thank's again, Apple!

Derp. Why don't you wait for a video of all this to come out? Then your lazy little ass won't have to read anything at all. The person making the post actually had good points, and it was well written.

these flaws are already known. the companies were simply lazy. nothing these "hackers" did is anything new. they scanned for vulnerable computers and tried to play their "hacks" as some kind of noble action.

Also, the authorities are treating this like it's some huge terrorist organisation, when it's really a bunch of 16 year olds getting some lulz. How embarrassing. By treating this as a national-security-level threat, the government is basically admitting that they are on-par with a group of immature 16 year olds running around like a gang looking for Lulz. I know this is an accurate depiction, I just never thought the Gov would admit it so willingly. If recognition that there is a problem is the first step towards solving it, then perhaps this self-characterisation is a step in the right direction!

Incorrect. The powers that be have seen that the next generation are not a bunch of useless lay abouts. In fact unlike the previous couple of generations, they've begun to realize the power they have in numbers, and stand to really shake up the status quo if they gain enough confidence from these attacks. Rebellion against the oligarchy must be put down in its early stages or the rich and powerful might lose control.

I find the whole phenomenon fascinating, and I'm actually enjoying watching what a bunch of teenagers can do to a bunch of terrified bureaucrats and impotent tycoons that see control slipping from their grasp. Truly, we live in interesting times.

Yes, our generation will reshape the world, or at least the digital side of it. What you have seen so far is only the beginning. You may be willing to be led along like sheep, treated like slaves by the government and powerful corporations, but we shall stand up and fight for what we believe in.

It's truly sad that such a large portion of all of us haven't yet awakened to smell the coffee. When I see vast numbers of homeowners cast from their homes, all of the dishonest use of bank funds, TSA and Homeland Security and abuse of basic human rights, ann top of all of this, the very recent institution of a "super-Congress" (which BTW barely got even a nod in the media structures), I see there is a group doing something to shake up the abusive fear mongering power structure and, quite frankly, I'm tickled.

lulz, so many naive comments by jealous, wannabe techies or people who are simply scared of technology...

of course the "big boys" want you to think they are setting an example and making a difference, and of course the media will follow suit like a lapdog just to make headlines. but in the eyes of the accused, any PR is GOOD PR. things will just escalate - ebb and flow, ebb and flow. this changes nothing.

yeah, just believe your mainstream-media shit and go on with your pathetic life... its like arresting a thieve after leaving your house unlocked! theres always a plus and a minus for things to work and evolve. And the idea of hiring people that know more about sec and stuff than themself is far away from reality for those coorps. Just george and sony is only one major example. they feel so untouchable and convinced of there own work, its a shame how a bunch of randoms and teens can bully them around for fun. a smart criminal is far more dangerous to those socalled market leaders than those guys who already did it. blaming lulzsec for their attacks on sony is not half as ridiculous as their sense of security and care about customer data! its like placing your bike near the supermarket and hope nobody would steal it. good luck telling your insurance company to replace the damage caused by your own stupidity!

So if I forget to lock the back door one day and a thief walks in and steals all my stuff, then he shouldn't be considered as a criminal? Was he just doing me a favour by reminding me to lock my doors so that only real burglars can break in?
Get real - the crime is someone stealing another person's property.
By all means highlight security weaknesses in systems, but don't turn the innocent customers of these organizations into victims by publishing their details and causing them a load of trouble.
We should take the same approach as has largely become the norm for reporting O/S flaws. Notify the offender privately in the first instance so that they have a chance to correct the problem. Escalating to the public domain should be a last resort if no action is taken. Even then, avoid damaging the customers - 'cos that's you and me.

Everyone must admit that all of what has been happening on the Net recently has been truly amazing! "cyber-crime", "Hacktivism", use of the Internet as the last line of communications during revolutions against corrupt governments...these are all parts of humanity laid bare to the world. Even blogs such as this where people take such polar views of a topic...it puts all of mankind on anthropologic display.

So what will we learn from all of this? Will man-kind evolve away from our primitive behaviors? Or will all the sides of a such polarizing subject step back and see that our real need is to advance, learn, grow, and hopefully evolve beyond where we are today? Or will we forever remain shackled in darkness by our own ignorance, our need for government, our need for religion, our need for law? Will we ever become responsible for ourselves and our children?

Regrettably, it may not matter whether innocence can be proven. If, as some digital records may show, your IP was where an attack originated, you may find yourself on the loosing side of the legal proceedings. Is it worth 5, 10, 30 years of your life to piss off any government agency? No matter what government or agency!

A DDoS is often a prelude to a more sophisticated attack, and sometimes it can mask the more sophisticated attacks. So, technically, a DDoS does not directly access personal information, it can often be a means of gaining access while obfuscating an attack in progress.

These hackers are showing how corrupt and misdirected some/most parts of our current governments and social structures are. They are doing our society a favor. The fact they are under a certain age does not mean they are just juvenile delinquents, simply they are the ones that see our society needs changing. It going to happen. The generation supporting it will continue to grow, and continue the fight.

Also why are they worrying so much about the internet when theres still so much crime and corruption on the streets? Go do your job and make the your society a better place to live rather than worrying about keeping your websites running.

To all those people defending them for "exposing security flaws" there is a right way and a wrong way to do it. Their method was to break in, grab all the data upload it to Pirate bay for every ID theif on the Internet to have a field day and then publicly brag.

If they broke into these companies why didn't they tell them that they found a gaping security flaw that needs to be fixed? That is the right way.

You're a fool. I read previous comments that have stated such things as the police should be more worries about physical crimes going on in the street and how this was mostly harmless. Perhaps you should have read them too. Of course, stolen identities is no small matter, but perhaps people shouldn't be so blind about giving their information away on the Internet in the first place. The police arresting members of Anonymous/LulzSec is both pointless and desperate, as they've mentioned countless times before, you remove one, and 10 rise to take his place. It's like trying to stop water going into the sea by blocking a single tributary.

coming to this a bit late, no-one was actually hacked,not in the hacked meaning' it was mainly an injection method that was used and if the "BIG MONEY GRABBERS" WONT PAY FOR GOOD CODE WRITERS, WELL !!!!!!!!!!!!!!!!!

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley